Getting ahead of the hackers

Shipowners, managers and operators have just over a year before their fleets need to comply with IMO’s ISM Code from 1 January 2021.

Many shipping companies are already assessing their exposure to risk and developing IT policies to include in their Safety Management Systems aimed at mitigating it. But many companies will not be prepared for IMO 2021, and even more will not be aware of the ease with which cyber criminals can access passwords and use emails to penetrate maritime companies.

There is growing evidence of cyber criminals using email to extort money from shipping company employees or alter cargo manifests. Cyber criminals are continually experimenting with new techniques to evade detection.

They are researching their targets and tailoring emails for staff in specific roles. Another tactic is to spoof emails from high-ranking colleagues in the expectation staff lower down the chain will drop their guard and follow the request unquestioningly.

Shipping company executives, who wished to remain anonymous, told Maritime Digitalisation & Communications during events in the United Arab Emirates and in London how their organisation’s employees were targeted by cyber criminals through email and social media.

Container shipping companies and terminals appear to be key targets for cyber crime. Secure email specialist GTMaritime director Mike McNally highlights a recent incident in the Gulf of Guinea when “cyber criminals sent spoof emails requesting a cargo manifest, with a view to possibly attacking the vessel and targeting the containers with the highest-value contents”. On this he comments, “the more convincing an email appears, the greater the chance employees will fall for the scam”.

Container shipping should initially consult and follow industry guidance, says Digital Container Shipping Association chief operating officer Henning Schleyerbach. “We will look at implementing BIMCO recommendations for cyber security,” he says. “With IMO 2021 coming and people waiting until it is urgent, we will get shipowners together and we will come up with a solution for deployment.”

Ports are also a target for cyber criminals and need to be better prepared, says Port of Rotterdam head of digital strategy and transformation Martijn Thijsen. “Cyber attacks have a big impact on terminals,” he says. “Ports need to be ready with technology security. It is about the maritime ecosystem and being ahead of the hackers.”

Maritime organisations need to prepare staff to identify cyber threats and encourage them to inform managers, says Mr McNally.

“It is important to make crew aware they are under attack,” he says. “To bring to their attention the real-world consequences of a moment’s carelessness or inattention. To reveal the techniques and tricks fraudsters will utilise to manipulate them.”

He explains companies should deliver practically focused guidance on how to identify a potential phishing attempt. “Familiarising staff with the various strategies fraudsters employ to deceive them and sharing practical advice for distinguishing dishonest messages from legitimate ones can make an enormous difference,” says Mr McNally.

“To maximise its effectiveness, formal training should be reinforced by periodic refresher courses.” Warning notices near computer terminals act as constant reminders to seafarers to be vigilant for potential threats.

“Checklists are a simple but good way of instilling new behaviours and preventing carelessness as long as they are not perceived as perfunctory, annoying or unnecessary,” Mr McNally continues. “Giving crew a say in what items go on a list or letting them adjust it according to their needs or work style can engender a greater sense of ownership.”

SoftImpact consultant in maritime cyber security Alexandros Theofilou says USB memory sticks are also a potential risk. “USBs can carry viruses that can be blocked by antivirus, but they do not block everything,” he says. USBs are widely used by port authority officials and service engineers for transferring data.

“People need to think before plugging then in,” says Mr Theofilou. “They need to be cautious for a program on the USB could affect ECDIS or GPS. It could change ECDIS depth alarms to 50 m and cause a ship to crash and cause pollution.”

Cyber security specialist Naval Dome chief executive Itai Sela thinks shipping companies should look beyond attributing system breaches to human error.

“A cyber criminal will always need the unwitting assistance of an unsuspecting crew member, technician or employee to activate or spread the virus,” he says. “It is not enough to put it under the ‘human factor’ umbrella or apportion individual blame when a critical system has been breached.”

He thinks tougher system protection is required. “A cyber incident happens because systems are not protected,” he says. “Hackers will continue to develop innovative ways and sophisticated solutions intended to take advantage of any weak spots in human nature.”

Email security checklist

A checklist for all personnel involved in maritime on what to question and check from emails, from GTMaritime director Mike McNally.

• Question unusual requests: Be alert to suspicious instructions from high-level executives – especially those involving financial transfers. If in any doubt, contact managers to verify requests. Do not hit reply. Do start a new email chain.
• Do not follow suspect links: There is no fool-proof way to tell whether an email is genuine. It is better to err on the side of caution and not click on any links.
• Check the email sender and URL: Check whether the sender’s domain (detailed after the @ sign in the email address) matches the claimed source of the email. Fraudsters deliberately use incorrect spellings of legitimate domains in the hope of evading detection.
• Check that links lead to where they are supposed to: Hovering a mouse over a link will reveal its destination URL. If the link bears no relation to the claimed destination, do not click.
• Check for a personal salutation: Legitimate senders will usually address their customer by name, while phishing attempts will likely to use a generic greeting.
• Take time to review the email: To encourage a hasty response, phishing emails often include time sensitive requests. Make time to review all emails to ensure they are genuine before acting on any request.
• Do not give out personal or sensitive information: Be wary of emails requesting account details or other sensitive information. Contact the sender in another way to confirm the legitimacy of their request.
• Check the design and quality: Phishing emails often contain poor spelling and grammar, or incorrectly reproduce graphics stolen from the claimed source.
• Ask for help: If you receive a suspected phishing email, forward to your IT department.

Riviera Maritime Media’s Optimised Ship Forum will offer insights into implementing digitalisation solutions for maximum benefit on 10 December 2019 in London. Book your ticket now.